Q

XML security: Preventing XML bombs

With the use of Web services, XML security becomes increasingly important. Web services expert Rami Jaamour explains the damage an XML bomb can do and how to protect against it.

What is an XML bomb and how do I protect my Web service against it?
An XML bomb is a dangerous XML message that can be crafted by a malicious user. It could be sent by a service consumer (a client) as a request message to a Web service provider (a server) in order to cause a denial-of-service DoS attack. An XML bomb exploits Document Type Definition (DTD) processing functionality in XML parsers -- the software that parses an XML message -- by causing them to process an exponentially growing amount of data. A DoS attack could certainly be mounted by sending a message that is large in size to the service if the service is not configured to reject such messages. However, an XML bomb is actually a small XML message that is created in a way that makes the XML content grow only as it gets processed by the XML parser. Here is an example of an XML bomb:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE SOAP-ENV:Envelope [
  <!ELEMENT SOAP-ENV:Envelope ANY>
  <!ATTLIST SOAP-ENV:Envelope entityReference CDATA #IMPLIED>
  <!ENTITY x0 "foo">
  <!ENTITY x1 "&x0;&x0;" >
  <!ENTITY x2 "&x1;&x1;" >
  ...
  <!ENTITY x98 "&x97;&x97;" >
  <!ENTITY x99 "&x98;&x98;" >
] >
<SOAP:Envelope entityReference="&x99;" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
 <SOAP:Body>
  <keyword xmlns="urn:parasoft:ws:store">foo</keyword>
 </SOAP:Body>
</SOAP:Envelope>
When a Web service receives such a message, and if the XML parser has DTD processing enabled, then it will cause the server to expand the entity reference x99;. This reference is defined in the DTD section which comes with the message (highlighted in red) to be equal to &x98; repeated twice, which is in turn defined as &x97; repeated twice and so on all the way to x0. In other words:

x0 = "foo"
x1 = "foofoo"
x2 = "foofoofoofoo"
…
x99 = "foofoofoofoofoo…foo" or "foo" repeated
      299 = 633825300114114700748351602688
As the service expands the value of x, the size of the string containing the concatenated words "foo" reaches exponential levels, which causes it to quickly consume the server memory that is allocated to the application. Such exhaustion of the server resources causes a DoS, as other legitimate requests would not be processed while the server is busy concatenating useless "foo" strings.

To protect against such attacks, be sure to either use known commercial or open-source SOAP stacks that disallows DTDs, such as Apache Axis, or that ship as part of application server frameworks, such as .NET, WebLogic, WebSphere, etc. You can also disable DTD parsing in your XML parser. Certainly, adopting standards-based packages is often more secure than implementing things on your own.
This was first published in February 2006

Dig deeper on Software Security Test Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close